About this weblog

Here we'll explore the nexus of legal rulings, Capitol Hill
policy-making, technical standards development, and technological
innovation that creates -- and will recreate -- the networked world as we
know it. Among the topics we'll touch on: intellectual property
conflicts, technical architecture and innovation, the evolution of
copyright, private vs. public interests in Net policy-making, lobbying
and the law, and more.

Disclaimer: the opinions expressed in this weblog are those of the authors and not of their respective institutions.

April 23, 2004

CFP: Gmail v. Corporate Mail

Posted by Jason Schultz

An interesting issue has come up in the Gmail and privacy session @ CFP. If you send an email to someone at a corporation, e.g. jason@microsoft.com, there is an implicit understanding amongst most people that Microsoft could scan the email and read its contents. After all, Microsoft has a number of trade secrets to protect (as well as other interests) and since you are sending the email to one of its employees, it presumptively has the right to check it to make sure it isn't causing the corporation any harm. At the very least, it could argue that since the mail has been sent to its comptuer servers, it has a right to look at it if it wants.

So what about Gmail? Shouldn't people have the same low expectations of privacy if they send email to someone using a gmail.com email address? After all, the email is residing on Gmail's servers and there's no illusion that the email is residing on a private server.

The difference, I think, is one of perceived control and ownership. When I send email to microsoft.com, I understand that Microsoft has a right to police its email and servers because the person you are sending the mail to is an employee there -- someone who Microsoft has control and supervision over while they are at work.

With Gmail, however, Google doesn't have any control or supervision over its users. At least, that's our current perception. In return for seeing ads, users get a Gig of storage. That's the relationship. Google doesn't try to tell the user what to use to account for or try to control their behavior or supervise it. Therefore, when I send email to someone at a Gmail account, I assume the user is in control of the privacy of that email, not Google.

You can *assume* what you want, but your assumptions don't bind the recipient of your email! He can share it or have it scanned however he likes. The relevant relationship is between him and Gmail. Mail senders should understand that it is the recipient's decision about how much privacy they will apply to the received email.

And anyway, it's pretty questionable whether people aren't going to know how gmail.com email addresses work, it's been one of the biggest stories on the net for weeks. Imagine sending mail to addr@xyz.com: is that a business address or a personal one? Half the time you can't even tell.

Really you have no business *assuming* what will happen to your email once it arrives. There are too many possibilities.

Keep in mind that what GMail's computers do is "read" and analyze each piece of your mail. Will this analysis be used for purposes other than generating a realtime ad? Might it be used to develop patterns of interest (which would be logical from a marketing perspective - think of the potential marketing value of your library records)? Might it be used to monitor specific types of interests (also logical marketing-wise, but which might, for example, be interpreted as possible involvement in terrorist activities)? Might you be improperly associated with topics simply because someone sends you a message on that topic (including but not at all limited to spam)?

Past history suggests that when such a capability exists and is widely used, the government may well be tempted to use it (usually without publicity and without a subpoena). If you examine our history over the past couple of decades (and look at the contemporary rationale put forth supporting the Patriot Act), you will see that this isn't (necessarily) paranoid conjecture.

Actually, Google has come out and said that the scan of your email is essentially done "real time" when you open a message to display ads to you at that moment. Then any information is dumped -- no logs. So they have said they won't use it beyond that.

Of course, its still possible for the government to access any and all of your email hosted by Google (or any other webhosting company) through a warrant, or after 180 days of storage, an administrative subpoena. The only thing Gmail changes is your tendency to keep mail on their servers. With 1 GB of storage, you can keep a lot more a lot longer.

To expect that Google will not keep track of the preferences it deduces is simply not realistic. That's valuable information that makes no economic or marketing sense to discard. History (and common sense) shows us it will be used.

If you agree with the foregoing, it's easy to see that a government agency's temptation will be much greater (that if it had to collect/process the raw messages).